Re: [Users] Static virtual ip address

Chris Ehlers wrote:
> After further inverstigation I found that freeswan i found that I misspelled

No, kicking out the connection is not the default behaviour. Instead an error message is written to the log that the certificate and with it the ID could not be loaded

 > Feb 19 17:48:41 VPN2 pluto[2783]:   could not open host cert file
 > '/etc/ipsec.d/certs/test2-cert.pem' #PROBLEM
 > Feb 19 17:48:41 VPN2 pluto[2783]: added connection description "test2"

but the following anonymous connection is created

conn test2

	right=%any
	leftsubnet=172.30.0.0/16
	rightsubnet=172.30.0.5/32

This means that anyone with a valid certificate issued by a trusted CA can connect when the subnets match this definition.

Recommendation: When setting up new connection definitions always check what actually has been loaded, using

    ipsec auto --status

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Regards

Andreas

Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64

==========================================[strong internet security]===


_______________________________________________